Authentication and authorization of Nastel Navigator Security Manager users for Apache Tomcat application server can be implemented by modifying XML files. See below for the modification steps.
web.xml
Perform the below updates on the web.xml file, located in AutoPilotM6\apache-tomcat\webapps\apodwsm\WEB-INF\web.xml.
- The following servlet stanza:
<servlet>
should have <security-role-ref> definition as in:
<servlet-name>FacesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet><servlet>
where GrpMiddlewareSupport is the name of the role (group) specified by the user.
<servlet-name>FacesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<security-role-ref>
<role-name>m6admin</role-name>
<role-link>GrpMiddlewareSupport</role-link>
</security-role-ref>
</servlet> - The following auth-constraint stanza of web.xml:
<auth-constraint>
should have one more role-name definition as in:
<!-- Anyone with one of the listed roles may access this area -->
<role-name>m6admin</role-name>
</auth-constraint>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>m6admin</role-name>
<role-name>GrpMiddlewareSupport</role-name>
</auth-constraint> - Security role section at the end of web.xml file gets 3d role as in:
<security-role>
Some LDAP servers require fully qualified role name or distinguishedName of the role. Instead of GrpMiddlewareSupport, the 3 items mentioned above should use:
<role-name>m6admin</role-name>
</security-role>
<security-role>
<role-name>m6audit</role-name>
</security-role>
<security-role>
<role-name>GrpMiddlewareSupport</role-name>
</security-role>
CN=GrpMiddlewareSupport,CN=Users,DC=nastel1,DC=main
server.xml
Perform the below updates on the server.xml file located in AutoPilotM6\apache-tomcat\conf\server.xml.
- Comment out or delete this stanza:
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" /> - Realm stanza:
<Realm className="org.apache.catalina.realm.LockOutRealm">
should become:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm><Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
adCompat="true"
referrals="follow"
connectionURL="ldap://11.0.0.1:389"
connectionName="CN=John Doe,CN=Users,DC=nastel1,DC=main"
connectionPassword="johndoepasswdgoeshere"
userBase="CN=Users,DC=NASTEL1,DC=MAIN"
userSearch="sAMAccountName={0}"
userSubtree="true"
userRoleName="member"
roleBase="CN=Users,DC=NASTEL1,DC=MAIN"
roleName="CN"
roleSearch="(member={0})"
roleSubtree="false" />
On some LDAP servers, 'memberOf' should replace 'member' in the two occurrences above.
If user John Doe is a member of GrpMiddlewareSupport he will be granted login, otherwise there will be a 403 condition.
context.xml
Perform the below updates on the context.xml file located in AutoPilotM6\apache-tomcat\webapps\apodwsm\META-INF\context.xml.
Delete or comment out the realm stanza:
<Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0"
resourceName="UserDatabase"
validate="true"/>
tomcat-users.xml
The file, AutoPilotM6\apache-tomcat\conf\tomcat-users.xml, should have all roles and usernames deleted or commented out.
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="pwd" roles="tomcat"/>
-->
logging.properties
(Optional) If the user wants finer level logging to AutoPilotM6\apache-tomcat\logs\catalina.2021-05-03.log then the following lines should be added to AutoPilotM6\apache-tomcat\conf\logging.properties.
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
1catalina.org.apache.juli.FileHandler.bufferSize = -1
java.util.logging.ConsoleHandler.level = ALL
org.apache.catalina.level = FINEST
org.apache.catalina.realm.JNDIRealm.level = FINEST
org.apache.catalina.realm.JNDIRealm.useParentHandlers = true
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
All modifications to the XML and properties files will be effective upon restarting Tomcat.